PDA

: log analyses



comafrf
27.08.2008, 14:54
I am new here, I am of the Brazil, and would like that somebody analyzes this log. thanks




<AVZ_CollectSysInfo>
--------------------
Start time: 2008-08-27 07:56
Duration: 00:06:38
Finish time: 2008-08-27 08:03

<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
2008-08-27 07:56 Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
2008-08-27 07:56 System Restore: enabled
2008-08-27 07:56 1.1 Searching for user-mode API hooks
2008-08-27 07:56 Analysis: kernel32.dll, export table found in section .text
2008-08-27 07:56 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
2008-08-27 07:56 Hook kernel32.dll:CreateProcessA (99) blocked
2008-08-27 07:56 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
2008-08-27 07:56 Hook kernel32.dll:CreateProcessW (103) blocked
2008-08-27 07:56 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
2008-08-27 07:56 Hook kernel32.dll:FreeLibrary (241) blocked
2008-08-27 07:56 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
2008-08-27 07:56 Hook kernel32.dll:GetModuleFileNameA (373) blocked
2008-08-27 07:56 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
2008-08-27 07:56 Hook kernel32.dll:GetModuleFileNameW (374) blocked
2008-08-27 07:56 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
2008-08-27 07:56 Hook kernel32.dll:GetProcAddress (409) blocked
2008-08-27 07:56 Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
2008-08-27 07:56 Hook kernel32.dll:LoadLibraryA (581) blocked
2008-08-27 07:56 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
2008-08-27 07:56 Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
2008-08-27 07:56 Hook kernel32.dll:LoadLibraryExA (582) blocked
2008-08-27 07:56 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
2008-08-27 07:56 Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
2008-08-27 07:56 Hook kernel32.dll:LoadLibraryExW (583) blocked
2008-08-27 07:56 Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
2008-08-27 07:56 Hook kernel32.dll:LoadLibraryW (584) blocked
2008-08-27 07:56 IAT modification detected: GetModuleFileNameW - 009C0010<>7C80B465
2008-08-27 07:56 Analysis: ntdll.dll, export table found in section .text
2008-08-27 07:56 Analysis: user32.dll, export table found in section .text
2008-08-27 07:56 Analysis: advapi32.dll, export table found in section .text
2008-08-27 07:56 Analysis: ws2_32.dll, export table found in section .text
2008-08-27 07:56 Analysis: wininet.dll, export table found in section .text
2008-08-27 07:56 Analysis: rasapi32.dll, export table found in section .text
2008-08-27 07:56 Analysis: urlmon.dll, export table found in section .text
2008-08-27 07:56 Analysis: netapi32.dll, export table found in section .text
2008-08-27 07:57 >> Danger ! Process masking detected
2008-08-27 07:57 >>>> Suspicion for process masking 488 f:\arquivos de programas\windows live\messenger\msnmsgr.exe
2008-08-27 07:57 >>>> Suspicion for process masking 1644 f:\arquiv~1\nero\neroph~1\data\xtras\mssysmgr.exe
2008-08-27 07:57 1.2 Searching for kernel-mode API hooks
2008-08-27 07:57 Driver loaded successfully
2008-08-27 07:57 SDT found (RVA=083220)
2008-08-27 07:57 Kernel ntoskrnl.exe found in memory at address 804D7000
2008-08-27 07:57 SDT = 8055A220
2008-08-27 07:57 KiST = 804E26A8 (284)
2008-08-27 07:57 Function NtClose (19) intercepted (805678DD->F224D618), hook F:\WINDOWS\System32\Drivers\aswSP.SYS
2008-08-27 07:57 >>> Function restored successfully !
2008-08-27 07:57 >>> Hook code blocked
2008-08-27 07:57 Function NtConnectPort (1F) intercepted (805879EB->F239A040), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:57 >>> Function restored successfully !
2008-08-27 07:57 >>> Hook code blocked
2008-08-27 07:58 Function NtCreateFile (25) intercepted (8056CDC0->F2396930), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtCreateKey (29) intercepted (8057065D->F224D4D4), hook F:\WINDOWS\System32\Drivers\aswSP.SYS
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtCreatePort (2E) intercepted (805975B1->F239A510), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtCreateProcess (2F) intercepted (805B135A->F23A0870), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtCreateProcessEx (30) intercepted (8057FC60->F23A0AA0), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtCreateSection (32) intercepted (805652B3->ED267700), hook F:\WINDOWS\system32\drivers\mbam.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtCreateWaitablePort (38) intercepted (805DB124->F239A600), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtDeleteFile (3E) intercepted (805D800B->F2396F20), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtDeleteKey (3F) intercepted (805952BE->F23A26E0), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtDeleteValueKey (41) intercepted (80592D50->F224D9B2), hook F:\WINDOWS\System32\Drivers\aswSP.SYS
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtDuplicateObject (44) intercepted (805715E0->F23A0580), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtLoadDriver (61) intercepted (805A3AF1->F23943F0), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtLoadKey (62) intercepted (805AED5D->F23A28B0), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtMapViewOfSection (6C) intercepted (80573B61->F23A4270), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtOpenFile (74) intercepted (8056CD5B->F2396D70), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtOpenKey (77) intercepted (80568D59->F224D5AE), hook F:\WINDOWS\System32\Drivers\aswSP.SYS
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtOpenProcess (7A) intercepted (805717C7->F23A0350), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtOpenThread (80) intercepted (8058A1BD->F23A0150), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtQueryValueKey (B1) intercepted (8056A1F1->F224D6CE), hook F:\WINDOWS\System32\Drivers\aswSP.SYS
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtRenameKey (C0) intercepted (8064E79E->F23A3250), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtReplaceKey (C1) intercepted (8064F0FA->F23A2CB0), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtRequestWaitReplyPort (C8) intercepted (80576CE6->F2399C00), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtRestoreKey (CC) intercepted (8064EC91->F224D68E), hook F:\WINDOWS\System32\Drivers\aswSP.SYS
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtSecureConnectPort (D2) intercepted (8058F4DE->F239A220), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtSetInformationFile (E0) intercepted (8057494A->F2397120), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtSetSystemInformation (F0) intercepted (805A7BDD->F23941C0), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtSetValueKey (F7) intercepted (80572889->F224D80E), hook F:\WINDOWS\System32\Drivers\aswSP.SYS
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtTerminateProcess (101) intercepted (805822E0->F23A0CD0), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Function NtUnloadDriver (106) intercepted (80619BD6->F23945F0), hook F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 >>> Function restored successfully !
2008-08-27 07:58 >>> Hook code blocked
2008-08-27 07:58 Functions checked: 284, intercepted: 31, restored: 31
2008-08-27 07:58 1.3 Checking IDT and SYSENTER
2008-08-27 07:58 Analysis for CPU 1
2008-08-27 07:58 Checking IDT and SYSENTER - complete
2008-08-27 07:58 1.4 Searching for masking processes and drivers
2008-08-27 07:58 Checking not performed: extended monitoring driver (AVZPM) is not installed
2008-08-27 07:58 Driver loaded successfully
2008-08-27 07:58 1.5 Checking of IRP handlers
2008-08-27 07:58 \driver\tcpip[IRP_MJ_CREATE] = F23ABC20 -> F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 \driver\tcpip[IRP_MJ_CLOSE] = F23ABC20 -> F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 \driver\tcpip[IRP_MJ_DEVICE_CONTROL] = F23ABC20 -> F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 \driver\tcpip[IRP_MJ_INTERNAL_DEVICE_CONTROL] = F23ABC20 -> F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 \driver\tcpip[IRP_MJ_CLEANUP] = F23ABC20 -> F:\WINDOWS\System32\vsdatant.sys
2008-08-27 07:58 Checking - complete
2008-08-27 07:59 F:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll --> Suspicion for Keylogger or Trojan DLL
2008-08-27 07:59 F:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll>>> Behavioral analysis
2008-08-27 07:59 Behaviour typical for keyloggers not detected
2008-08-27 07:59 F:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll --> Suspicion for Keylogger or Trojan DLL
2008-08-27 07:59 F:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll>>> Behavioral analysis
2008-08-27 07:59 Behaviour typical for keyloggers not detected
2008-08-27 07:59 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
2008-08-27 07:59 >> Services: potentially dangerous service allowed: TermService (Servios de terminal)
2008-08-27 07:59 >> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)
2008-08-27 07:59 >> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sesso de ajuda de rea de trabalho remota)
2008-08-27 07:59 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
2008-08-27 07:59 >> Security: disk drives' autorun is enabled
2008-08-27 07:59 >> Security: administrative shares (C$, D$ ...) are enabled
2008-08-27 07:59 >> Security: anonymous user access is enabled
2008-08-27 07:59 >> Security: sending Remote Assistant queries is enabled
2008-08-27 07:59 >> Abnormal SCR files association
2008-08-27 07:59 >> Abnormal REG files association
2008-08-27 07:59 >> Service termination timeout is out of admissible values
2008-08-27 07:59 >> Disable HDD autorun
2008-08-27 07:59 >> Disable autorun from network drives
2008-08-27 07:59 >> Disable CD/DVD autorun
2008-08-27 07:59 >> Disable removable media autorun
2008-08-27 07:59 System Analysis in progress
2008-08-27 08:03 System Analysis - complete
2008-08-27 08:03 Delete file:F:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-128IM\LOG\avptool_syscheck.htm
2008-08-27 08:03 Delete file:F:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-128IM\LOG\avptool_syscheck.xml
2008-08-27 08:03 Deleting service/driver: utizmtu5
2008-08-27 08:03 Delete file:F:\WINDOWS\system32\Drivers\utizmtu5.sys
2008-08-27 08:03 Deleting service/driver: ujizmtu5
2008-08-27 08:03 Script executed without errors

RiC
27.08.2008, 15:55
It only part of log, search full logfile in avptool_syscheck.zip archive, look like example this (http://virusinfo.info/showpost.php?p=274559&postcount=1)

comafrf
28.08.2008, 23:08
thanks RIC i go see this link

neomage
28.07.2009, 17:00
Post your log in http://virusinfo.info/forumdisplay.php?f=84 for help. Thanks